[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both



At 11:30 14.11.99 -0800, Kurt D. Zeilenga wrote:
It appears to me that the authzIds-are-not-necessarily-DNs
notion will cause a ripple of change through the protocol and
information model.  The introduction of authzid
representation [AuthMeth] will lead to creatorsAuthzid,
modifiersAuthzid, memberAuthzid, and many other use of DNs
to be replaced with something that can contain both an
authzId.  I believe the addition of authzIds will
unnecessarily complicate the protocol and information model.

When we discussed this in Washington 2 years ago, I think we had an implicit assumption that the authzId in the SASL exchange, which may, but need not, be a DN, would be *mapped to* a DN if required for internal purposes.
The purpose would be that the DN need not be maintained anywhere seen by the user.


I don't remember an argument that the idea "an identity is a DN" should be abandoned.
In other words, I agree with Kurt.


                    Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no